CN105468543B - Method and device for protecting sensitive information - Google Patents
Method and device for protecting sensitive information Download PDFInfo
- Publication number
- CN105468543B CN105468543B CN201410461447.9A CN201410461447A CN105468543B CN 105468543 B CN105468543 B CN 105468543B CN 201410461447 A CN201410461447 A CN 201410461447A CN 105468543 B CN105468543 B CN 105468543B
- Authority
- CN
- China
- Prior art keywords
- file
- blocks
- memory
- memory block
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
Abstract
The invention provides a method and a device for protecting sensitive information, wherein the method comprises the following steps: applying for a plurality of memory blocks with randomly determined lengths, wherein each memory block is acquired in a dynamic allocation mode, is associated with the memory block by a discontinuous data structure, and stores the reference information of the memory block by utilizing a plurality of nodes in the data structure; and dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes, and respectively storing the file blocks in the plurality of memory blocks. The method and the device can increase the complexity of an attacker for acquiring the original file content. In other words, even if an attacker can locate the start position of sensitive information in the dumped memory data, the complete original file content cannot be easily acquired.
Description
Technical Field
The invention relates to the field of mobile internet, in particular to a method and a device for protecting sensitive information.
Background
With the continuous development of mobile broadband technology and terminal hardware platform technology, the available computing resources on the mobile terminal can sufficiently meet the requirements of various office scenes, and the cheap and available wireless network can also help people to access various data and files which can be acquired through a fixed network by using the mobile terminal anytime and anywhere. With the development of the mobile terminal operating system technology, various application software which can only be used in the desktop office system has been developed in various mobile operating system environments in a manner suitable for the operation of the mobile terminal user. The popularity of these infrastructure has driven the use of mobile terminals in corporate office environments to become more and more prevalent.
When a corporate employee performs various office operations using a mobile terminal owned and distributed by the corporation, it is important to consider the security of various data used during such operations, the security of the network, and the like. However, the requirement that the user only installs the specified application on the special mobile phone to complete the mobile office is completely limited, and obviously, the efficient, comfortable and convenient experience target which can be originally achieved by the user through the mobile terminal office is deviated. Thus, the actual operating environment of enterprise application software is a complex system environment that mixes enterprise-specific applications with user-owned applications, even if there are a number of security concerns. This is the main demand-driven source of various BYOD (growing young Own Device) implementation technologies.
Some of currently commonly used BYOD implementation technologies develop enterprise security applications based on a special API (application programming Interface), and some of the commonly used BYOD implementation technologies add security functions such as VPN (Virtual private network) login, data isolation, information management and control to application software which does not have an enterprise security policy function by directly modifying a software installation package or using an original software installation package as a load of a new software installation package for an existing third-party application. Regardless of which BYOD implementation technique is employed, encryption techniques are required in terms of protection of sensitive information. For example, when an original application installation package needs to be protected, the software installation package needs to be stored in an encrypted form; when the file data operated by the user needs to be protected, the file can also be saved in an encrypted form.
Since encryption is available, decryption is naturally required, otherwise, direct use of the encrypted data only results in the failure of the original functions of the software. This decryption operation can only be performed at runtime of the software, otherwise the significance of protection of sensitive information is lost. In this case, the operating environment in which the decryption operation is performed has to be considered. In the BYOD scenario, even enterprise application software that has been security hardened, which is running in a user terminal environment full of security risks, may encounter various known and unknown security attacks. This unmanageable security environment is generally referred to as a white-box environment, as opposed to a black-box environment where the operating details inside the software, such as process space, etc., are not accessible to the user, but in such a white-box environment this assumption will not hold.
In order to ensure the normal execution of the functions of the enterprise application software, the encrypted files must be decrypted again and then used. However, in a BYOD service scenario, an enterprise application runs in a white-box environment, so that a decrypted file cannot be directly saved in an external file system in a clear manner, otherwise sensitive information to be protected is exposed to a risk of leakage. A simple way to resolve this conflict is to: these already decrypted information are protected with an internal file. However, when an attacker analyzes the whole address space of the user process by using a memory dump method, the decrypted memory files can be easily located, and the attacker can obtain the original content of the required sensitive information.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a device for protecting sensitive information so as to increase the complexity of an attacker for acquiring the original file content.
In order to solve the above technical problem, the present invention provides a method for protecting sensitive information, comprising:
applying for a plurality of memory blocks with randomly determined lengths, wherein each memory block is acquired in a dynamic allocation mode, is associated with the memory block by a discontinuous data structure, and stores the reference information of the memory block by utilizing a plurality of nodes in the data structure;
and dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes, and respectively storing the file blocks in the plurality of memory blocks.
Further, the method also has the following characteristics: the applying for the plurality of memory blocks with randomly determined lengths comprises:
and setting the random length of the applied memory block for storing the file characteristic information to be smaller than the length of the file characteristic information.
Further, the method also has the following characteristics: after applying for a plurality of memory blocks with randomly determined lengths, the method further includes:
and rearranging the plurality of memory blocks in a random sequence, and then storing the file blocks.
Further, the method also has the following characteristics:
the reference information of the memory block includes: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
Further, the method also has the following characteristics:
the method further comprises the following steps: and converting one or more items of information stored in the data structure nodes, wherein the conversion modes adopted by different items are the same or different.
Further, the method also has the following characteristics:
further comprising: when the data structure is provided for use by other program modules, security processing is performed.
Further, the method also has the following characteristics:
before dividing the file into a plurality of file blocks of corresponding sizes, or before storing the divided file blocks in the plurality of memory blocks, further comprising: and processing the data of the file or the data of the file block into contents which cannot be directly used.
In order to solve the above problem, the present invention further provides an apparatus for protecting sensitive information, wherein the apparatus comprises:
an application module, configured to apply for a plurality of memory blocks with randomly determined lengths, where each memory block is obtained in a dynamic allocation manner, and is associated with the memory block in a discontinuous data structure, and reference information of the memory block is stored by using a plurality of nodes in the data structure;
and the storage module is used for dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes and respectively storing the file blocks in the plurality of memory blocks.
Further, the device also has the following characteristics:
the application module is further configured to set a random length of the applied memory block for storing the file characteristic information to be smaller than the length of the file characteristic information.
Further, the device also has the following characteristics: also comprises the following steps of (1) preparing,
and the arranging module is used for rearranging the plurality of memory blocks applied by the applying module in a random sequence and then triggering the storing module to store the file blocks.
Further, the device also has the following characteristics: further comprising:
the application module applies for the reference information of the memory block, including: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
Further, the device also has the following characteristics: further comprising:
and the processing module is used for converting one or more items of information stored in the data structure node, and the conversion modes adopted by different items are the same or different.
Further, the device also has the following characteristics: further comprising:
and the processing module is used for carrying out safety processing when the data structure is provided for other program modules for use.
Further, the device also has the following characteristics: further comprising:
and the processing module is configured to process the data of the file or the data of the file block into contents that cannot be directly used before the storing module divides the file into a plurality of file blocks of corresponding sizes, or before the plurality of divided file blocks are stored in the plurality of memory blocks, respectively.
In summary, the present invention provides a method and an apparatus for protecting sensitive information, which can increase the complexity of an attacker for obtaining the content of an original file. In other words, even if an attacker can locate the start position of sensitive information in the dumped memory data, the complete original file content cannot be easily acquired.
Drawings
Fig. 1 is a layout diagram of an address space of a general user process under a 32-bit Android operating system in the prior art.
FIG. 2 is a diagram of a memory region of a prior art sequential application.
Fig. 3 is a flowchart of protecting sensitive information according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating organization of fragmented memory chunks using a linked list approach according to an embodiment of the invention.
FIG. 5 is a diagram illustrating an example of using a binary tree to organize fragmented memory chunks according to an embodiment of the present invention.
Fig. 6 is a schematic diagram of performing conversion processing on key information in an object node in a data structure according to an embodiment of the present invention.
Fig. 7 is a schematic diagram of an apparatus for protecting sensitive information according to an embodiment of the present invention.
Detailed Description
Fig. 1 illustrates a layout diagram of an address space of a general user process in a 32-bit Android operating system, and in other terminal operating systems, memory layouts of user process spaces including a Linux operating system at a PC side are also similar.
As shown in fig. 1, the address space refers to the virtual address space of the user process, so the address layout is a continuous flat space; these addresses may not be contiguous if mapped to physical memory. For enterprise application in a white-box operating environment, no security guarantee is added. In other words, although the memory regions requested by the user processes are physically interleaved throughout the runtime environment with the memory regions requested by other processes, the address space is continuous from the perspective of a single user process. In this continuous address space, it is possible to explicitly locate code segments, data segments, memory allocation heaps, stack spaces, and address spaces occupied by shared libraries mapped in the user process, etc. that are mirrored by the user process. In a certain terminal os environment, many of the boundaries of these parameters are preset, for example, in a 32-bit Android os environment, the user process code segment starts with a 0x2a000000 virtual address (higher version Linux kernel may support a memory address randomization function, where a random offset is added to the starting address, but this is also a known parameter for an attacker in a white-box environment), and the next part is a statically allocated data segment followed by the space occupied by the memory heap. And the memory dynamically applied by the user process during the operation is distributed in the heap space. Therefore, for an attacker in the white-box operating environment, as long as the opportunity of memory dump is obtained, the storage position of the locating file can be searched in the heap space according to the known characteristic information of the target file.
Fig. 2 illustrates the security risk that may be encountered if the decrypted file content is stored in the memory area of a continuous application. As can be clearly seen from fig. 2, as long as an attacker can clearly know the property information of the file header, this is easily obtained, for example, in an Android operating environment, the dex file contains the bytecode generated after all Java code in the user application is compiled. The file is characterized in that the first 8 bytes are ASCII characters 'dex \ n' or 'dey \ n' plus version numbers, and the version numbers are only two, namely '036' and '035', and even if the byte order in the operating environment is different, the target characteristic byte arrays to be searched are only 8. This unambiguous feature is also possible for sensitive information files that are of interest to other possible attackers. In particular, these fixed format files usually have information such as header length, file length, etc. in the metadata of their headers. Therefore, as long as the starting virtual address of the file data storage can be located according to the characteristic information of the file, the original content of the sensitive data can be conveniently obtained from the exported user process space data.
The embodiment of the invention aims to design an attack means capable of resisting the memory dump, so that an attacker can easily acquire sensitive information when the enterprise application after security reinforcement runs without decrypting the sensitive information, and the security of the enterprise application is further improved.
The reason why the attacker can analyze and acquire the original sensitive information in a memory dump manner is mainly because the attacker can search and locate the start position of the original file in the memory image according to the characteristic information of the original file, such as a standard file header, and acquire metadata (possibly including parameters such as file length) of the file according to the file header. At this time, if the file data is stored in the memory in a continuous address manner, the attacker can intercept the file content only by adding the file length parameter to the corresponding file header position. Even if the file length parameter is not known, the accurate original content of the file can be obtained in a step-by-step trial mode. If the attacker can not obtain the characteristic information of the file header, but locate the sensitive information in the memory according to the characteristics of other positions of the file, because the file data is continuously stored, part or all of the original file content can be obtained according to the correlation of the decrypted file content.
In summary, as long as the decrypted file content is stored in the memory in a continuous manner, it cannot prevent an attacker from analyzing and obtaining the sensitive information that is originally encrypted in a manner of internal storage and transfer storage in the white-box operating environment.
Fig. 3 is a flowchart of protecting sensitive information according to an embodiment of the present invention, and as shown in fig. 3, the method according to the embodiment includes:
s11, applying for a plurality of memory blocks with randomly determined lengths, wherein each memory block is obtained in a dynamic allocation mode, is associated with the memory block by a discontinuous data structure, and stores the reference information of the memory block by a plurality of nodes in the data structure;
and S12, dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes, and respectively storing the file blocks in the plurality of memory blocks.
The scheme provided by the embodiment of the invention stores the file contents which are originally required to be stored continuously in the memory in a fragmentation mode. Therefore, information leakage caused by writing the file content into the file system can be avoided, and the analysis means of the memory dump which can be used by an attacker can be resisted to a great extent.
The decrypted file content is stored in fragmented memory blocks, each memory block is obtained in a dynamic allocation mode, and random memory block length is used when applying for. In order to make it difficult for an attacker to locate sensitive information according to the header characteristics, the random length of the memory block containing the sensitive information characteristic data may be set to be as small as possible as the header characteristic length. Although random, the range of values can be specified in programming implementation.
When the fragmentation processing mode is used, a discontinuous data structure is created, and the reference information of the memory blocks is stored by using a plurality of nodes in the data structure, for example, a tree data structure such as a linked list or a binary tree is used to store the reference information of the memory blocks. The memory blocks that have been applied for this application should be kept without using a continuous data structure such as a pointer array or an object array, but organized in a data structure such as a linked list or a binary tree, and pointers in node objects in these data structures point to the start address of each block of data.
The reference information of the memory block may include: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
In the node objects of these data structures, at least the length of each memory block and the location information of the memory block in the whole file need to be saved, so as to facilitate the continuous access and random access of the program to the file data.
Key information stored in node objects in the data structures, such as address pointers, data block lengths, data block position information and the like, can be converted to prevent an attacker from analyzing the used data structures and the complete content of the file by using a reverse technology.
And converting one or more items of information stored in the data structure nodes, wherein the conversion modes adopted by different items can be the same or different.
The file data structure after the safety processing can be provided for other program modules after being packaged, so that the increase of the implementation complexity of an external module caused by the application of a safety reinforcing technology is reduced as much as possible;
the security process here may be reversible and various linear or non-linear operations, such as shift, mapping table, exclusive or, etc., can be loaded with the value range of the operation result in the data structure.
Of course, further processing of the data in the memory block is possible, without recording the original information, but only calculating and restoring the original content of the file data block when the data is read out, and processing it as content that is not directly usable when the external module writes the data into the data block.
By adopting the implementation scheme described in the embodiment, when the enterprise application runs in an insecure mobile terminal environment in a white-box form, and an attacker uses an attack technique such as memory dump, the file content which is decrypted can be ensured not to be easily acquired, so that the security of the enterprise application during running is increased.
The following describes the embodiments in further detail with reference to the accompanying drawings.
FIG. 4 illustrates an implementation sample of using a linked list approach to organize fragmented file blocks:
first, the memory for storing the actual file content is dynamically applied in blocks smaller than the file length. However, the memory block length at the time of application is randomly selected, as long as the value is much smaller than the actual length of the file. Of course, if this value is too small, the number of file blocks to be processed in reading and writing a file may be too large, resulting in a decrease in processing efficiency. If the value is too large, the number of file blocks is reduced, and the difficulty of a natural attacker for acquiring the original content of the file by using the file characteristics is reduced. When the number of file blocks is too small, even if an attacker cannot acquire the whole content of the file at one time, the attacker may acquire the required sensitive information only through a few file blocks or even one file block, which is certainly desirable to avoid the situation when the security reinforcement function is implemented. Therefore, the optional range of the random value and the actual value of each time when determining the length of the dynamic application block need to be balanced among the actual terminal processing capacity, the application performance requirement and the security reinforcement target.
Generally, a specific implementation method of a memory allocation algorithm provided by an operating system and an application framework completes allocation in different pre-application memory pages according to memory allocation requests with different lengths. In other words, using random memory length can prevent an attacker from determining the location of the file chunk according to the length of the memory chunk on the one hand, and on the other hand, can make the location of the allocated memory chunk discontinuous in the user process space, which is actually a main objective that is expected to be achieved by using fragmented memory to store the file content. Of course, in order to improve the security of the system as much as possible, the previously applied memory blocks with different lengths may be rearranged in a random order and used, so as to ensure that the memory blocks finally used for storing the actual content of the file are discretized in the user process space as much as possible.
In order to enable the application to normally access the allocated memory blocks at runtime, and to maintain the inherent sequential relationship between the file blocks, the address information and the location information of the file blocks need to be organized in a certain form. In fact, the organization mode can be various, and is acceptable as long as it can ensure that the application module can efficiently complete continuous and random read-write operations on the file content. However, it is not possible to organize file blocks in a continuous array, such as a pointer array or an object array. The reason is that even if each data unit in the array is processed safely, an attacker can still use the linear relationship between the data units to analyze the locations of the memory blocks related to the data units, and further find the target file block from the address space which has been dumped. Only when discontinuous data structures such as a linked list, a binary tree and the like are adopted to store reference information of the data blocks, the safety brought by the fragmented file access mechanism can be ensured to be really realized.
FIG. 4 is a simple sample implementation of saving file block references using a doubly linked list implementation. In this example, each data node in the linked list is a custom structure. The information elements required to be stored in the structure include: the address of the memory block pointed by the current node, the length of the memory block, and the location of the memory block in the file. Of course, to implement a doubly linked list data structure, an address pointer to the next linked list node and an address pointer to the previous linked list node also need to be defined in the structure. Since the linked list node object and the memory block object are both obtained by adopting a dynamic application mode, the linked list node object and the memory block object are stored in a discontinuous mode from the view of the address space when the actual user process runs, so that the difficulty of an attacker in accessing each memory block can be increased.
The use of doubly linked lists to store reference information for file blocks may advantageously support sequential access requests to files. This is evident because in each node of the linked list there is an address pointer to the next node. All file block address pointers can be obtained by accessing each linked list node one by one along the sequence of the pointers, and the file content can be read and written according to the lengths of the file blocks. However, if an application wants to complete random reading and writing of a file, the application needs to access the nodes of the linked list one by one from the head of the linked list, and determine which file block or blocks to read and write according to the position of the file block pointed by the node in the whole file. Although the characteristic of the doubly linked list can be utilized, when a program accesses a certain node in the middle of the linked list, the procedure of positioning processing is accelerated by directly accessing a preamble node of the current node through a backward pointer, when a random access request of each application arrives, the position of the pointer of the current position of the file is unknown, so that the file block reference information is only stored by adopting the doubly linked list structure, and the method may be unsuitable in the occasions with extremely high performance requirements.
For this purpose, in fig. 5, an implementation example of an application for saving file blocks in the form of a simple binary tree is also given. Of course, tree-like storage structures far beyond binary trees can be chosen, and thus the description given herein can be viewed as a generalization of the general concept of using tree-like storage structures in such functional scenarios. Because, even if other tree-like data structures are used to store these references to file blocks, the possible differences compared to using only a simple binary tree are mainly the algorithm for inserting nodes needs to be adjusted according to the specific data structure and the algorithm for searching and traversing nodes, however, the main idea is not changed, that is, using nodes that are discrete in the user process space to store reference information for fragmented file blocks and providing the most efficient access means for applications. It should be noted that, when the requirement on the use efficiency of the memory is not high, the deletion of the node or the memory block in the access interface of the external application does not need to be implemented, but only the addition of the memory block or the insertion of the node is needed when necessary.
As can be seen from fig. 5, in the node object of each binary tree, as in the doubly linked list implementation example, an address pointer to each memory block is also maintained, as well as the length of the memory block and the location information in the file. However, due to the structural characteristics of the binary tree, an address pointer pointing to the left child node and an address pointer pointing to the right child node are also set in each node object. It can be simply designed here that each node in the tree is able to hold data, i.e. reference information of the corresponding memory block. In this organization mode, the position of each memory block in the file can be used as the key value of the node, thus naturally ensuring the node sequence relation required by the binary tree structure. Of course, other key values may be used, such as the number of file blocks, etc. The relationship between the nodes may be designed such that the file blocks pointed to by the nodes in all left sub-trees are located earlier in the file than the current node points to, and the file blocks pointed to by the nodes in all right sub-trees are located later than the current node points to. Therefore, when the tree structure is traversed in a medium-sequence mode, the sequential access to the files can be completed through the file block information pointed in each node. When the application needs to realize the random access to the file, the advantage of ordered organization among the nodes in the tree structure can be utilized, and the number of the nodes which need to be accessed when searching the file block is reduced.
In the scheme of this embodiment, the file contents are stored in fragmented memory blocks, and the reference information elements pointing to these memory blocks are organized as discretized nodes in the form of linked lists, binary trees, and the like, but these nodes store address information pointing to other nodes, in particular, address information pointing to each file block, and also the length of each file block and location information in the file. As long as the attacker finds one of the node objects and knows the data organization form in the node object, it is still possible to find other nodes and file blocks holding the file content one by one. For example, when an attacker locates a first file block according to the characteristics of a file header, the attacker can naturally obtain the corresponding address of the file block in the user process space, and can find the corresponding reference node again according to the address, so that as long as the attacker knows the organization way of each reference node, the task of finding the file block which is stored in a discretized manner again can be realized.
Therefore, to ensure the security of sensitive information, the contents of the reference nodes pointing to those memory cells can also be securely processed. An implementation sample diagram is given in fig. 6. This is an illustration of the aforementioned implementation of a reinforcement process when a doubly linked list is used to organize fragmented memory chunk reference nodes. In this implementation example, each address pointer pointing to other locations needs to be transformed, which includes each pointer pointing to the next node and the previous node in the linked list nodes, and the pointer pointing to the memory block. Thus, when searching for each known address information directly in the in-memory dump data, it is impossible to find the corresponding pointer accurately. The specific conversion algorithm can be various, including simple comparison table conversion, or conversion of address information by using an encryption method or a certain nonlinear formula, and the better the security reinforcement effect is possibly obtained by the conversion method which is less known.
Of course, the null pointer in each node may be considered not to be converted, and although this may provide convenience for an attacker to locate the node object, if the conversion result of each null pointer is the same, it may provide a good clue for the analysis of the attacker, and may also expose the method of conversion of other addresses. This is, of course, relevant to the particular conversion method used. When a certain conversion method is adopted, when the final security obtained by selecting the empty pointer for conversion is higher, a method for conversion instead of neglecting is naturally selected. As long as the explicit association between a memory block and its corresponding reference node can be cut off, it becomes less easy to find the other party from one party.
Similar to the conversion of the address parameters, the length of the memory block in the reference node and the location information of the memory block in the file are converted, so that the security of the specific implementation can be improved. Like address translation, the translation method used here can be selected in different program implementations according to actual needs.
In addition, in the figure, different processing for the next node address pointer and the previous node address pointer is also shown. If the same translation is used, some strongly correlated address fragments will appear in the memory, and the analysis program will be able to discover this apparent feature and then locate these addresses. Such sensitive information is exposed to risks.
Because the conversion processing aiming at the address parameters, the length of the memory block, the position and other information is adopted, when the traversal and positioning processing of the structures such as the linked list or the binary tree is realized, the parameters need to be processed reversely to obtain the original parameters, so that the memory address pointed by the pointer, the length of the memory block and the corresponding file position can be obtained.
Due to the adoption of the processing modes for storing the files, when the actual application program reads and writes the file content, the actual application program can not read and write the file content only through the standard library function any more, but a packaged customized interface is used. Regardless of the form of reference node organization, such as a chain table and binary tree, etc., the application is not aware of the changes when accessing fragmented file content, as long as the custom interface remains unchanged. It is not even necessary for an application to know whether the file contents have been stored in fragmented form or, as is usual, in a contiguous block of memory, other than by using a designated read-write access interface.
A sample definition of an interface is:
1. when an application opens a file containing sensitive information, a fragmented storage area is created with a specified file length requirement: the input parameter is file length, or no input, indicating that such a file was created with a default or 0 length. And the return object is a pointer to the head node of the storage region.
For applications, standard open file operations are also used, but in internal library implementations, the functional interfaces described herein may have been referenced. An internal library implementation might first decrypt the file and then call a function that creates the fragmented regions with the decrypted file length as a parameter.
2. The application expands an already created fragmented storage area by a specified length: the input parameters are a pointer to the head node of the created storage area and the length of the file to be expanded. The return object is a pointer to the head node of the storage region.
3. When closing an encrypted file, the application releases a fragmented storage area: the input parameter is a head node pointer of the created storage area, and the return parameter is a mark of success or failure of execution.
4. An application requests to read a specified portion or all of the fragmented memory area: the input parameters are naturally the head node pointer of the already created memory area, the offset needed to start reading, the data length needed to read, the output buffer, etc., and the output parameters are the number of bytes actually read.
5. An application requests to write to a specified portion of the fragmented storage area: similar input and output parameters are provided for read requests, including pointers to memory locations and offsets of file locations for which a write operation is to begin, and the length of data to be written and the buffer in which the data to be written is located. And the interface returns the number of bytes of data that are actually written to completion. For the read request and the write request, some special interfaces can be further defined, including special reading of a character and special writing of a character, etc., so as to facilitate the use of the application.
6. Sometimes, the external application needs to obtain the address of a specific location in the file, and then a special interface needs to be designed to return the pointer. The external application cannot access the memory in a continuous manner only after obtaining the pointer.
If the application cannot be conveniently developed after the interface packaging function is provided, or the application can only execute reading and writing of the memory file in a standard file library interface form, a layer of packaging needs to be performed on the basis of the interface, an access interface is provided externally in a standard file object form, and the customized interface is reused when the file object is internally processed. Thus, almost no additional adaptation burden is left for application development.
Since a special interface is provided to access the fragmented file storage area, such an interface has effectively isolated the original data accessed in the application from the data saved to memory. In other words, even in memory chunks that have been fragmented, the original content of the file does not necessarily have to be preserved. It has been mentioned above that if the file content is saved in raw form, even after fragmentation, the attacker can search and locate the first file block directly, unless the first file block is small enough not to accommodate the length of the signature bytes that the attacker needs to match. The previously described schemes have given a number of designs to ensure that even if an attacker gets a small fragment of a file, they are not sufficient to continue to obtain other sensitive information. However, even an attacker can be prevented from acquiring the file block with the property information as long as further processing is performed on this special interface. This step of treatment is optional, but does enhance the security achieved by adding such treatment.
This secure conversion process on the specialized interface can be understood as re-encryption and decryption of the file content that has been fragmented for storage. However, in the general symmetric and asymmetric encryption processing, a memory block with a fixed length is required as an input of the encryption/decryption processing module, such as 8 bytes, 16 bytes, or even 128 bytes. Thus, the flexibility of random reading and writing of files is greatly reduced for the application module, or the security conversion process on the special interface becomes complicated and inefficient. Therefore, the conversion method based on one byte is selected at this time, and although the security is low, it is appropriate for the efficiency of reading and writing the file. The fragmentation process provides the necessary security for the overall safety, so that the optional further processing process does not require too much complexity to meet the requirements.
Fig. 7 is a schematic diagram of an apparatus for protecting sensitive information according to an embodiment of the present invention, as shown in the drawing, the apparatus of the embodiment includes:
an application module, configured to apply for a plurality of memory blocks with randomly determined lengths, where each memory block is obtained in a dynamic allocation manner, and is associated with the memory block in a discontinuous data structure, and reference information of the memory block is stored by using a plurality of nodes in the data structure;
and the storage module is used for dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes and respectively storing the file blocks in the plurality of memory blocks.
The application module is further configured to set a random length of the applied memory block for storing the file characteristic information to be smaller than the length of the file characteristic information.
In a preferred embodiment, the apparatus may further include:
and the arranging module is used for rearranging the plurality of memory blocks applied by the applying module in a random sequence and then triggering the storing module to store the file blocks.
The reference information of the memory block includes: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
In a preferred embodiment, the apparatus may further include:
and the processing module is used for converting one or more items of information stored in the data structure node, and the conversion modes adopted by different items are the same or different.
In a preferred embodiment, the apparatus may further include:
and the processing module is used for carrying out safety processing when the data structure is provided for other program modules for use.
In a preferred embodiment, the apparatus may further include:
and the processing module is configured to process the data of the file or the data of the file block into contents that cannot be directly used before the storing module divides the file into a plurality of file blocks of corresponding sizes, or before the plurality of divided file blocks are stored in the plurality of memory blocks, respectively.
Of course, the present invention may have other embodiments, and those skilled in the art can make various changes and extensions according to the present invention without departing from the spirit and the essence of the present invention, such as selecting different organization modes of the memory block reference information of the linked list and the binary tree, selecting different node information conversion processes, and the like. It is intended that all such modifications and variations fall within the scope of the appended claims.
Claims (12)
1. A method of protecting sensitive information, comprising:
applying for a plurality of memory blocks with randomly determined lengths, wherein each memory block is acquired in a dynamic allocation mode, is associated with the memory block by a discontinuous data structure, and stores the reference information of the memory block by utilizing a plurality of nodes in the data structure;
dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes, and respectively storing the file blocks in the plurality of memory blocks;
the applying for the plurality of memory blocks with randomly determined lengths includes:
and setting the random length of the applied memory block to be smaller than the length of the file.
2. The method of claim 1, wherein: after applying for a plurality of memory blocks with randomly determined lengths, the method further includes:
and rearranging the plurality of memory blocks in a random sequence, and then storing the file blocks.
3. The method of claim 1, wherein:
the reference information of the memory block includes: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
4. The method of claim 1, wherein:
the method further comprises the following steps: and converting one or more items of information stored in the data structure nodes, wherein the conversion modes adopted by different items are the same or different.
5. The method of claim 1, wherein:
further comprising: when the data structure is provided for other program modules to use, safety processing is carried out firstly; the security processing includes shift processing or exclusive-or processing.
6. The method of any one of claims 1-5, wherein:
before dividing the file into a plurality of file blocks of corresponding sizes, the method further comprises the following steps: processing data of the file into contents that are not directly usable; or
Respectively storing the divided file blocks before the memory blocks, further comprising: and processing the data of the file block into contents which cannot be directly used.
7. An apparatus for protecting sensitive information, comprising:
an application module, configured to apply for a plurality of memory blocks with randomly determined lengths, where each memory block is obtained in a dynamic allocation manner, and is associated with the memory block in a discontinuous data structure, and reference information of the memory block is stored by using a plurality of nodes in the data structure;
the storage module is used for dividing the decrypted file containing the sensitive information into a plurality of file blocks with corresponding sizes and respectively storing the file blocks in the plurality of memory blocks;
the application module is further configured to set a random length of the applied memory block to be smaller than a file header characteristic length of the file.
8. The apparatus of claim 7, wherein: also comprises the following steps of (1) preparing,
and the arranging module is used for rearranging the plurality of memory blocks applied by the applying module in a random sequence and then triggering the storing module to store the file blocks.
9. The apparatus of claim 7, wherein: further comprising:
the application module applies for the reference information of the memory block, including: an address pointer pointing to the memory block, the length of the memory block and the position information of the file block stored in the memory block in the file;
the nodes in the data structure also hold address pointers pointing to upper and/or lower nodes.
10. The apparatus of claim 8, wherein: also comprises the following steps of (1) preparing,
and the processing module is used for converting one or more items of information stored in the data structure node, and the conversion modes adopted by different items are the same or different.
11. The apparatus of claim 7, wherein: also comprises the following steps of (1) preparing,
the processing module is used for carrying out safety processing when the data structure is provided for other program modules for use; the security processing includes shift processing or exclusive-or processing.
12. The apparatus of any one of claims 7-11, wherein: further comprising:
the processing module is used for processing the data of the file into contents which cannot be directly used before the storage module divides the file into a plurality of file blocks with corresponding sizes; or processing the data of the file blocks into contents which can not be directly used before the plurality of divided file blocks are respectively stored in the plurality of memory blocks.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410461447.9A CN105468543B (en) | 2014-09-11 | 2014-09-11 | Method and device for protecting sensitive information |
| PCT/CN2015/078038 WO2016037488A1 (en) | 2014-09-11 | 2015-04-30 | Method and device for protecting sensitive information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410461447.9A CN105468543B (en) | 2014-09-11 | 2014-09-11 | Method and device for protecting sensitive information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105468543A CN105468543A (en) | 2016-04-06 |
| CN105468543B true CN105468543B (en) | 2020-06-16 |
Family
ID=55458323
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410461447.9A Active CN105468543B (en) | 2014-09-11 | 2014-09-11 | Method and device for protecting sensitive information |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105468543B (en) |
| WO (1) | WO2016037488A1 (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106168883A (en) * | 2016-05-05 | 2016-11-30 | 诸葛晴凤 | A kind of efficient data tissue and access method |
| CN106815301B (en) * | 2016-12-12 | 2020-10-30 | 北京奇虎科技有限公司 | Method and device for storing dex file |
| CN106934280A (en) * | 2017-03-08 | 2017-07-07 | 网易(杭州)网络有限公司 | Internal storage data processing method, device and network game client |
| CN108388496A (en) * | 2018-01-23 | 2018-08-10 | 晶晨半导体(上海)股份有限公司 | A kind of collection method of system log |
| CN108900474A (en) * | 2018-06-05 | 2018-11-27 | 苏州科达科技股份有限公司 | The transmission method of sensitive information, device and electronic equipment |
| CN109920044A (en) * | 2019-02-27 | 2019-06-21 | 浙江科澜信息技术有限公司 | A kind of three-dimensional scene construction method, device, equipment and medium |
| CN112580092B (en) * | 2020-12-07 | 2023-03-24 | 北京明朝万达科技股份有限公司 | Sensitive file identification method and device |
| CN115859384B (en) * | 2022-10-12 | 2023-11-10 | 北京连山科技股份有限公司 | Safety protection method for memory sensitive data residual information of network safety equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101110044A (en) * | 2007-08-28 | 2008-01-23 | 中兴通讯股份有限公司 | Method and system for internal memory monitoring management |
| CN100378666C (en) * | 2002-06-04 | 2008-04-02 | 佐治亚技术研究公司 | Systems, methods and computer program products for leakage-proof program partitioning |
| US7437530B1 (en) * | 2003-04-24 | 2008-10-14 | Network Appliance, Inc. | System and method for mapping file block numbers to logical block addresses |
| CN103118135A (en) * | 2013-02-28 | 2013-05-22 | 中国地质大学(武汉) | Method and system for protecting user data privacy in cloud computing |
| US9158468B2 (en) * | 2013-01-02 | 2015-10-13 | International Business Machines Corporation | High read block clustering at deduplication layer |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5479656A (en) * | 1992-05-13 | 1995-12-26 | Rawlings, Iii; Joseph H. | Method and system for maximizing data files stored in a random access memory of a computer file system and optimization therefor |
| DE102010010851A1 (en) * | 2010-03-10 | 2011-09-15 | Giesecke & Devrient Gmbh | Spying protection when executing an operation sequence in a portable data carrier |
| US9344278B2 (en) * | 2011-10-18 | 2016-05-17 | Broadcom Corporation | Secure data transfer using random ordering and random block sizing |
| CN103607393A (en) * | 2013-11-21 | 2014-02-26 | 浪潮电子信息产业股份有限公司 | Data safety protection method based on data partitioning |
-
2014
- 2014-09-11 CN CN201410461447.9A patent/CN105468543B/en active Active
-
2015
- 2015-04-30 WO PCT/CN2015/078038 patent/WO2016037488A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100378666C (en) * | 2002-06-04 | 2008-04-02 | 佐治亚技术研究公司 | Systems, methods and computer program products for leakage-proof program partitioning |
| US7437530B1 (en) * | 2003-04-24 | 2008-10-14 | Network Appliance, Inc. | System and method for mapping file block numbers to logical block addresses |
| CN101110044A (en) * | 2007-08-28 | 2008-01-23 | 中兴通讯股份有限公司 | Method and system for internal memory monitoring management |
| US9158468B2 (en) * | 2013-01-02 | 2015-10-13 | International Business Machines Corporation | High read block clustering at deduplication layer |
| CN103118135A (en) * | 2013-02-28 | 2013-05-22 | 中国地质大学(武汉) | Method and system for protecting user data privacy in cloud computing |
Non-Patent Citations (2)
| Title |
|---|
| Pete Broadwell等.Scrash:A System for Generating Secure Crash Information.《12th Conference on USENIX Senurity Symposium》.2003,正文第1-11页. * |
| 杨晓懿等.内存中敏感数据保护.《应用技术》.2004,第34-36页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016037488A1 (en) | 2016-03-17 |
| CN105468543A (en) | 2016-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105468543B (en) | Method and device for protecting sensitive information | |
| US10853270B2 (en) | Cryptographic pointer address encoding | |
| KR101224322B1 (en) | Methods and apparatus for the secure handling of data in a microcontroller | |
| US9811678B2 (en) | Method and system for transferring data and instructions through a host file system | |
| US8856959B2 (en) | Creating distinct user spaces through user identifiers | |
| US20160110295A1 (en) | Secure data encryption in shared storage using namespaces | |
| US20190073475A1 (en) | Ransomware Mitigation System | |
| US20120260106A1 (en) | System and method for binary layout randomization | |
| CN110119302B (en) | Virtual machine monitor and virtual trusted execution environment construction method | |
| US20160239671A1 (en) | Method and device for protecting an application and method and device for executing a protected application thus protected | |
| JP2008527532A (en) | Method for assigning security area to non-security area and portable storage device | |
| US11775177B2 (en) | Integrity tree for memory integrity checking | |
| Zhang et al. | A code protection scheme by process memory relocation for android devices | |
| CN115758420A (en) | File access control method, device, equipment and medium | |
| US20070011096A1 (en) | Method and apparatus for managing DRM rights object in low-performance storage device | |
| US8621606B1 (en) | Systems and methods for identifying external functions called by untrusted applications | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system | |
| KR101761799B1 (en) | Apparatus and method for managing data security of terminal | |
| RU2467389C1 (en) | Method of protecting software and dataware from unauthorised use | |
| CN116235174A (en) | Apparatus and method for performing encryption algorithm | |
| US10621149B1 (en) | Stable File System | |
| TWI791995B (en) | Software protection method and system thereof | |
| CN108897994B (en) | Method and device for hiding import table, storage medium and computer equipment | |
| KR102258408B1 (en) | How to obfuscate return commands and how to execute obfuscated return commands | |
| CN101196922A (en) | Information safety equipment and its file memory and access method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |